The criminal use of encryption to hide malware is growing rapidly. In the first half of 2019 the use of encryption by malware almost equaled the entire encrypted volume of 2018, and is not likely to slow. Today, nearly a quarter of malware communicates using TLS.
The reason is simple: encryption obfuscates malware code, making it difficult to analyze; prevents users from accessing the component files in the event of an infection; and hides and secures the attackers’ malicious network communication. In short, malware encryption makes it harder for traditional defenses to detect and mitigate that malware.
Malware normally collects victim machine data as the first phase of victim reconnaissance. If this data is encrypted before being sent back to the attacker — especially if the destination is a legitimate service (like Pastebin or GitHub) that also normally communicates with encryption — it is less likely to be detected as any form of communication from internal malware to external attacker.
The success of hiding malware communications within encryption may partly explain the growth of malware taking new instructions from its C2 server over having the entire functionality coded within the malware. This in turn makes the initial malware infection smaller and less likely to be detected. “Without the protective layer of TLS encryption obfuscating the contents of this communication,” writes SophosLabs threat researcher Luca Nagy, “a sharp-eyed analyst or data loss prevention tool might easily catch this type of theft in the act, before any harm may come as a result.”
SophosLabs wanted to quantify the extent of encryption use by malware, and looked at a selection of malware analyses from the last six months. “Around 23% of all malware families we sampled use encrypted communication to send or receive data from the C2, or during installation when they may use https to conceal the fact that they are retrieving malicious payloads or components,” it found.
Sixteen percent of the malware samples examined were infostealers — but 44% of those (much higher than the average 23% of all samples) — communicated via port 443 (the standard port used for TLS-encrypted https communications).
The report highlights three prolific malware families that use encrypted communications. The first is TrickBot, malware who’s primary goal is to steal information about the system, user, their browsers, the network on which the computer is running, the email accounts that belong to the victim, and particularly, bank or financial account passwords or other credentials. It can be delivered directly, or dropped by other malware such as Emotet.
TrickBot usually downloads its modules using https before injecting them into an instance of the legitimate Windows component svchost.exe. It exfiltrates the data it collects using an https POST method, using the standard TLS port 443 and sometimes 449/TCP. This data is further encrypted using CryptoAPI.
The second family is IcedID, a banking trojan that uses web injection attacks against browsers. It too injects itself into svchost.exe, and can spread laterally through the network. Like TrickBot, it uses SSL/TLS for C2 communication. Configuration files are downloaded over TLS, while the responses are also encrypted using the RC4 cipher.
The third family is Dridex, a banking trojan delivered by phishing campaigns and sometimes dropped by Emotet. It has been under continuous development since being first spotted in 2011. It is also an infostealer with the ability to steal credentials, cookies, certificates, keystrokes, and even take screenshots.
“Dridex frequently uses HTTPS on port 443 to download payload modules or send the collected data,” comments SophosLabs. “The exfiltrated data can additionally be encrypted using RC4, if the attacker desires.”
The primary message in this report is that the proportion of malware implementing TLS to protect its communication has been and will likely continue to increase, which raises strong concerns about the ability to detect and defend against the adoption of transport layer security by malicious actors. The three malware families discussed in the report have been among the most prolific and successful malwares in recent years — and the use of encryption will at least partly explain their success.
“In order to protect yourself,” concludes SophosLabs, “it’s important to inspect network traffic and check the TLS certificate details of https communications. You should pay significant attention to unusual or unexpected volumes of https traffic to unknown domains or using invalid or forged TLS certificates.”